ubuntu-hardened January 2013 archive
Main Archive Page > Month Archives  > ubuntu-hardened archives
ubuntu-hardened: [ubuntu-hardened] NULL scan.

[ubuntu-hardened] NULL scan.

From: Daniel Curtis <sidetripping_at_nospam>
Date: Wed Jan 30 2013 - 19:33:50 GMT
To: ubuntu-hardened@lists.ubuntu.com

Hi

I've added a rule to my iptables script, which is responsible for
filtering --tcp-flags. After addition of this rule, I've noticed that many
IP addresses are trying to... scan(?) my computer. This rule contains
something
like;

-m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,ACK,FIN,PSH,URG
SYN,RST,ACK,FIN,PSH,URG

Also, I've added the ability to log this rule e.g. -j LOG --log-prefix
"NULL SCAN: " etc.
But something is not as it should be. As we know an attacker uses a TCP
NULL scan
to determine if ports are closed on the target machine by sending TCP
segments with
*no flags* in the packet header. I wonder if the above rule is good,
because if NULL scan
does not use flags, so iptables rule should look this way: ALL NONE
(instead of all these flags),
right?

Some information from e.g. /var/log/kern.log file:
===================================
Jan 30 20:06:03 X kernel: [ 4749.200324] NULL SCAN: IN=eth0 OUT= MAC=
mac_address_
SRC=173.194.70.94 DST=192.168.X.X LEN=40 TOS=0x00 PREC=0x00 TTL=45
ID=39243 PROTO=TCP SPT=443 DPT=48903 WINDOW=0 RES=0x00 RST URGP=0

and many more similar entries and IP address... What should I do with this?
I'm so confused.
Maybe, It is a normal behavior, because of the INALID options? I ask for a
few advice.
This computer (with Xubuntu 12.04.1) is used for the various tests, there
are no running
services running, for now.

Best regards!

-- ubuntu-hardened mailing list ubuntu-hardened@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened